2 Southern Methodist UniversityList of Terms…TermMeaningCCCommon Criteria (Official ISO name is Evaluation Criteria for Information Technology Security)ClassGrouping of families that share a common focusComponentSmallest selectable set of elementsEvaluation Assurance Level (EAL)A package consisting of assurance components that represents a point on CC predefined assurance scaleFamilyA grouping of components that share security objective but may differ in emphasisSandeep JoshiSouthern Methodist University

3 Southern Methodist UniversityList of Terms…TermMeaningOrganizational Security PolicyOne or more security rules, procedures, practices or guidelines imposed by organization upon its operationsPackageA reusable set of either functional or assurance components, combined together to satisfy set of security policiesProtection Profile (PP)An implementation independent set of security requirementsSecurity TargetA set of security requirements and specification to be used as a basis for evaluation of identified TOESemi-FormalExpressed in a restricted syntax language with defined semanticsSandeep JoshiSouthern Methodist University

4 Southern Methodist UniversityList of TermsTermMeaningTarget Of EvaluationAn IT product or system and its associated administrator and user guidance documentation, that is the subject of evaluationTOE ResourceAnything consumable or usable in TOETOE Security Function (TSF)A set consisting of all hardware, software and firmware of the TOE that must be relied upon for the correct enforcement of TSPTOE Security Policy (TSP)A set of rules that regulate how assets are managed, protected and distributed within a TOETrusted ChannelA means by which a use and a TSF can communicate with necessary confidence to support TSPSandeep JoshiSouthern Methodist University

5 Southern Methodist UniversityCommon CriteriaHistory…Originated out of three standardsITSEC (Information Technology Security Evaluation Criteria)European Standard, developed in early 1990s, by UK, France, the Netherlands, and GermanyTCSEC (Trusted Computer System Evaluation Criteria)Widely known as “Orange Book”Sandeep JoshiSouthern Methodist University

7 Southern Methodist UniversityHistory…First Draft (Version 1.0) was published in January 1996 for commentsVersion 2.0 was published in 1998, and was accepted by ISO as an Final Committee Draft (FCD) documentVersion 2.0 became ISO standard sometime in June 1999 with minor, mostly editorial modifications.Sandeep JoshiSouthern Methodist University

8 Southern Methodist UniversityHistoryTwo versions of CCs were released since then…Version 2.1 was released in August 1999, and now accepted as ISO standardVersion 2.2, the newest version, released this year (2004).Sandeep JoshiSouthern Methodist University

9 Southern Methodist UniversityWhy should we use the CC?What support does CC have?What guarantees do CC-certified/validated products provide?Where should we start, if we want to achieve CC-certificate/validation for our product?Sandeep JoshiSouthern Methodist University

10 What support does CC have?..National security and standards organizations within Canada, France, Germany, Netherlands, UK and USA worked in collaboration to replace their existing security evaluation criteria (SEC)Sandeep JoshiSouthern Methodist University

11 What support does CC have?Acceptance by ISO will ensure that CC rapidly becomes the world standard for security specification and evaluationWider choice for evaluated products for consumersGreater understanding of consumer requirementsGreater access to markets for developersSandeep JoshiSouthern Methodist University

12 What guarantees products will provide?A sound basis for confidence that security measures are appropriate to meet a given threat and that they are correctly implementedQuantifies/measures the extent to which security has been assessedIncludes an assurance scale, called as Evaluation Assurance Level (EAL)Sandeep JoshiSouthern Methodist University

13 Southern Methodist UniversityWho could be affected?DevelopersVendorsCommonCriteriaAccreditorsCertifiersApproversEvaluatorsConsumersSandeep JoshiSouthern Methodist University

24 Southern Methodist UniversityProtection Profiles…What is Protection Profile?Essentially an implementation independent statement of security requirements that is shown to address threats that exists in a specified environmentSandeep JoshiSouthern Methodist University

26 Southern Methodist UniversityProtection ProfilesWhen would you want a PP?When setting standards for particular product typeA government wishes to specify security requirements for a class of security products, like firewalls, etc.Or, a firm needs an IT system that addresses its security issuesSandeep JoshiSouthern Methodist University